08b6af118b07cddd18958ea427ef26f87c39771ccdad3ed7e6b8f0c4641f53f6 | Triage

Analysis

max time kernel
888s
max time network
893s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16/05/2023, 10:58

Sharing

Report Analysis Logs

General

Target

CobaltStrike48-pwn3rzs-cyberarsenal_ucare/Client/cobaltstrike-client.cmd
Size

173B
MD5

7fcd9056d9d68e9bf0575a6a2f1f0ae8
SHA1

729de7a8c0781d721ff5801c2a93c0fd085bdc16
SHA256

f350ab5ca2a13db470fac76f7bfe80651a0aa577c9cf05afab301bacc9761e7c
SHA512

3f9ba648f847115f818cab1402a0eacbcf1ad332e6b4b7c361f77ef5a86ce197f270a8159889d84c38f2cdf400c11004cec73cc3a43ae30b6a4dc1340b0cff9c

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1720	java.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 1720	1260	cmd.exe	29
PID 1260 wrote to memory of 1720	1260	cmd.exe	29
PID 1260 wrote to memory of 1720	1260	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\CobaltStrike48-pwn3rzs-cyberarsenal_ucare\Client\cobaltstrike-client.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\system32\java.exe
  java -XX:ParallelGCThreads=4 -XX:+AggressiveHeap -XX:+UseParallelGC -javaagent:uHook.jar -jar cobaltstrike-client.jar $*
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads